6 files changed, 78 insertions, 70 deletions
diff --git a/lib/ssl/c_src/Makefile.in b/lib/ssl/c_src/Makefile.in
index 49a209f2eb..da716f7c40 100644
--- a/lib/ssl/c_src/Makefile.in
+++ b/lib/ssl/c_src/Makefile.in
@@ -28,6 +28,8 @@ include $(ERL_TOP)/make/$(TARGET)/otp.mk
 # ----------------------------------------------------
 SSL_LIBDIR = @SSL_LIBDIR@
 SSL_INCLUDE = @SSL_INCLUDE@
+SSL_CRYPTO_LIBNAME = @SSL_CRYPTO_LIBNAME@
+SSL_SSL_LIBNAME = @SSL_SSL_LIBNAME@
 
 # ----------------------------------------------------
 # Application version
@@ -134,7 +136,7 @@ ifeq ($(findstring @,$(SSL_CC_RUNTIME_LIBRARY_PATH)),@)
 SSL_CC_RUNTIME_LIBRARY_PATH = $(CC_R_OPT)
 endif
 
-SSL_LINK_LIB=-L$(SSL_LIBDIR) -lssl -lcrypto
+SSL_LINK_LIB=-L$(SSL_LIBDIR) -l$(SSL_SSL_LIBNAME) -l$(SSL_CRYPTO_LIBNAME)
 else 
 # not dynamic crypto lib (default from R11B-5)
 NEED_KERBEROS=@SSL_LINK_WITH_KERBEROS@
@@ -142,7 +144,7 @@ NEED_ZLIB=@SSL_LINK_WITH_ZLIB@
 SSL_MAKEFILE =
 CC_R_OPT =
 SSL_CC_RUNTIME_LIBRARY_PATH=
-SSL_LINK_LIB = $(SSL_LIBDIR)/libssl.a $(SSL_LIBDIR)/libcrypto.a 
+SSL_LINK_LIB = $(SSL_LIBDIR)/lib$(SSL_SSL_LIBNAME).a $(SSL_LIBDIR)/lib$(SSL_CRYPTO_LIBNAME).a 
 ifeq ($(NEED_KERBEROS),yes)
 SSL_LINK_LIB += @STATIC_KERBEROS_LIBS@
 endif
@@ -175,7 +177,7 @@ $(BINDIR)/ssl_esock: $(OBJS)
 
 # Win32/Cygwin
 $(BINDIR)/ssl_esock.exe: $(OBJS)
-	$(LD) $(SSL_CC_RUNTIME_LIBRARY_PATH) -L$(SSL_LIBDIR) -o $@ $^ -lwsock32 -llibeay32 -lssleay32
+	$(LD) $(SSL_CC_RUNTIME_LIBRARY_PATH) -L$(SSL_LIBDIR) -o $@ $^ -lwsock32 -l$(SSL_CRYPTO_LIBNAME) -l$(SSL_SSL_LIBNAME)
 
 # Unix only, and only when linking statically
 $(SSL_MAKEFILE):
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 52ee9c086a..b2d17925fd 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="latin1" ?>
+<?xml version="1.0" encoding="iso-8859-1" ?>
 <!DOCTYPE chapter SYSTEM "chapter.dtd">
 
 <chapter>
@@ -28,59 +28,47 @@
     <rev>G</rev>
     <file>notes.xml</file>
   </header>
-  <p>This document describes the changes made to the SSL application.
-    </p>
-
-    <section><title>SSL 4.1.4</title>
-
+  <p>This document describes the changes made to the SSL application.</p>
+  
+  <section>
+    <title>SSL 4.1.5</title>
+    
     <section><title>Improvements and New Features</title>
-      <list>
-        <item>
-          <p>
-	    Reduced memory footprint of an ssl connection.</p>
-          <p>
-	    Handshake hashes, premaster secret and "public_key_info"
-	    does not need to be saved when the connection has been
-	    established. The own certificate is no longer duplicated
-	    in the state.</p>
-          <p>
-	    Own Id: OTP-9021</p>
-        </item>
-        <item>
-          <p>
-	    Add the option {hibernate_after, int()} to ssl:connect
-	    and ssl:listen</p>
-          <p>
-	    Own Id: OTP-9106</p>
-        </item>
-      </list>
+    <list>
+      <item>
+	<p>Calling gen_tcp:connect with option {ip, {127,0,0,1}} results in 
+	an exit with reason badarg. Neither SSL nor INETS This was not 
+	catched, resulting in crashes with incomprehensible reasons.</p>
+	<p>Own Id: OTP-9289 Aux Id: seq11845</p>
+      </item>
+    </list>
     </section>
-
-</section>
-
-<section><title>SSL 4.1.3</title>
-
+    
+  </section>
+  
+  <section>
+    <title>SSL 4.1.3</title>
+  
     <section><title>Fixed Bugs and Malfunctions</title>
-      <list>
-        <item>
-          <p>
-	    Fixed error in cache-handling fix from ssl-4.1.2</p>
-          <p>
-	    Own Id: OTP-9018 Aux Id: seq11739 </p>
-        </item>
-        <item>
-          <p>
-	    Verification of a critical extended_key_usage-extension
-	    corrected</p>
-          <p>
-	    Own Id: OTP-9029 Aux Id: seq11541 </p>
-        </item>
-      </list>
+    <list>
+      <item>
+	<p>
+	Fixed error in cache-handling fix from ssl-4.1.2</p>
+	<p>
+	Own Id: OTP-9018 Aux Id: seq11739 </p>
+      </item>
+      <item>
+	<p>Verification of a critical extended_key_usage-extension
+	corrected</p>
+	<p>Own Id: OTP-9029 Aux Id: seq11541 </p>
+      </item>
+    </list>
     </section>
 
-</section>
+  </section>
 
-<section><title>SSL 4.1.2</title>
+  <section>
+    <title>SSL 4.1.2</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
       <list>
diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index a0ecb4ac6f..cf8867245b 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -5,7 +5,7 @@
   {"4.1.3", [{restart_application, ssl}]},
   {"4.1.2", [{restart_application, ssl}]},
   {"4.1.1", [{restart_application, ssl}]},
-  {"4.1", [{restart_application, ssl}]},
+  {"4.1",   [{restart_application, ssl}]},
   {"4.0.1", [{restart_application, ssl}]}
  ], 
  [
@@ -13,7 +13,7 @@
   {"4.1.3", [{restart_application, ssl}]},
   {"4.1.2", [{restart_application, ssl}]},
   {"4.1.1", [{restart_application, ssl}]},
-  {"4.1", [{restart_application, ssl}]},
+  {"4.1",   [{restart_application, ssl}]},
   {"4.0.1", [{restart_application, ssl}]}
  ]}.
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 380c59b058..0ced6707eb 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -611,8 +611,10 @@ do_new_connect(Address, Port,
     catch
 	exit:{function_clause, _} ->
 	    {error, {eoptions, {cb_info, CbInfo}}};
+	exit:badarg ->
+	    {error, {eoptions, {inet_options, UserOpts}}};
 	exit:{badarg, _} ->
-	    {error,{eoptions, {inet_options, UserOpts}}}
+	    {error, {eoptions, {inet_options, UserOpts}}}
     end.
 
 old_connect(Address, Port, Options, Timeout) ->
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 0a86e9bd29..2c452837f8 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -941,17 +941,23 @@ handle_info({Protocol, _, Data}, StateName,
 
 handle_info({CloseTag, Socket}, _StateName,
             #state{socket = Socket, close_tag = CloseTag,
-		   negotiated_version = Version, host = Host,
-		   port = Port, socket_options = Opts, 
+		   negotiated_version = Version,
+		   socket_options = Opts,
 		   user_application = {_Mon,Pid}, from = From, 
-		   role = Role, session = Session} = State) ->
-    %% Debug option maybe, the user do NOT want to see these in their logs
-    %% error_logger:info_report("SSL: Peer did not send close notify alert."),
+		   role = Role} = State) ->
+    %% Note that as of TLS 1.1,
+    %% failure to properly close a connection no longer requires that a
+    %% session not be resumed.  This is a change from TLS 1.0 to conform
+    %% with widespread implementation practice.
     case Version of
 	{1, N} when N >= 1 ->
 	    ok;
 	_ ->
-	    invalidate_session(Role, Host, Port, Session)
+	    %% As invalidate_sessions here causes performance issues,
+	    %% we will conform to the widespread implementation
+	    %% practice and go aginst the spec
+	    %%invalidate_session(Role, Host, Port, Session)
+	    ok
     end,
     alert_user(Opts#socket_options.active, Pid, From,
 	       ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY), Role),
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index f845b1ecc0..5a2d0c9496 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -57,6 +57,7 @@
 -define('24H_in_sec', 8640).
 -define(SESSION_VALIDATION_INTERVAL, 60000).
 -define(CERTIFICATE_CACHE_CLEANUP, 30000).
+-define(CLEAN_SESSION_DB, 60000).
 
 %%====================================================================
 %% API
@@ -70,7 +71,8 @@ start_link(Opts) ->
     gen_server:start_link({local, ?MODULE}, ?MODULE, [Opts], []).
 
 %%--------------------------------------------------------------------
--spec connection_init(string()| {der, list()}, client | server) -> {ok, reference(), cache_ref()}.
+-spec connection_init(string()| {der, list()}, client | server) ->
+			     {ok, reference(), cache_ref()}.
 %%			     
 %% Description: Do necessary initializations for a new connection.
 %%--------------------------------------------------------------------
@@ -101,7 +103,9 @@ lookup_trusted_cert(Ref, SerialNumber, Issuer) ->
     ssl_certificate_db:lookup_trusted_cert(Ref, SerialNumber, Issuer).
 %%--------------------------------------------------------------------
 -spec issuer_candidate(cert_key() | no_candidate) -> 
-			      {cert_key(), {der_cert(), #'OTPCertificate'{}}} | no_more_candidates.      
+			      {cert_key(),
+			       {der_cert(),
+				#'OTPCertificate'{}}} | no_more_candidates.
 %%
 %% Description: Return next issuer candidate.
 %%--------------------------------------------------------------------
@@ -117,7 +121,8 @@ client_session_id(Host, Port, SslOpts, OwnCert) ->
     call({client_session_id, Host, Port, SslOpts, OwnCert}).
 
 %%--------------------------------------------------------------------
--spec server_session_id(host(), port_num(), #ssl_options{}, der_cert()) -> session_id().
+-spec server_session_id(host(), port_num(), #ssl_options{},
+			der_cert()) -> session_id().
 %%
 %% Description: Select a session id for the server.
 %%--------------------------------------------------------------------
@@ -139,7 +144,9 @@ register_session(Port, Session) ->
 -spec invalidate_session(port_num(), #session{}) -> ok.
 -spec invalidate_session(host(), port_num(), #session{}) -> ok.
 %%
-%% Description: Make the session unavilable for reuse.
+%% Description: Make the session unavailable for reuse. After
+%% a the session has been marked "is_resumable = false" for some while
+%% it will be safe to remove the data from the session database.
 %%--------------------------------------------------------------------
 invalidate_session(Host, Port, Session) ->
     cast({invalidate_session, Host, Port, Session}).
@@ -259,23 +266,26 @@ handle_cast({register_session, Port, Session},
     {noreply, State};
 
 handle_cast({invalidate_session, Host, Port, 
-	     #session{session_id = ID}}, 
+	     #session{session_id = ID} = Session},
 	    #state{session_cache = Cache,
 		   session_cache_cb = CacheCb} = State) ->
-    CacheCb:delete(Cache, {{Host, Port}, ID}),
+    CacheCb:update(Cache, {{Host, Port}, ID}, Session#session{is_resumable = false}),
+    timer:apply_after(?CLEAN_SESSION_DB, CacheCb, delete, {{Host, Port}, ID}),
     {noreply, State};
 
-handle_cast({invalidate_session, Port, #session{session_id = ID}}, 
+handle_cast({invalidate_session, Port, #session{session_id = ID} = Session},
 	    #state{session_cache = Cache,
 		   session_cache_cb = CacheCb} = State) ->
-    CacheCb:delete(Cache, {Port, ID}),
+    CacheCb:update(Cache, {Port, ID}, Session#session{is_resumable = false}),
+    timer:apply_after(?CLEAN_SESSION_DB, CacheCb, delete, {Port, ID}),
     {noreply, State};
 
 handle_cast({recache_pem, File, LastWrite, Pid, From},
 	    #state{certificate_db = [_, FileToRefDb, _]} = State0) ->
     case ssl_certificate_db:lookup(File, FileToRefDb) of
 	undefined ->
-	    {reply, Msg, State} = handle_call({{cache_pem, File, LastWrite}, Pid}, From, State0),
+	    {reply, Msg, State} =
+		handle_call({{cache_pem, File, LastWrite}, Pid}, From, State0),
 	    gen_server:reply(From, Msg),
 	    {noreply, State};
 	_ -> %% Send message to self letting cleanup messages be handled